ETDA ThaiCERT
Report
Search
Home > List all groups > Mikroceen

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Mikroceen

NamesMikroceen (ESET)
SixLittleMonkeys (Kaspersky)
CountryChina China
MotivationInformation theft and espionage
First seen2017
Description(ESET) In this joint blogpost with fellow researchers from Avast, we provide a technical analysis of a constantly developed RAT that has been used in various targeted campaigns against both public and private subjects since late 2017. We observed multiple instances of attacks involving this RAT, and all of them happened in Central Asia. Among the targeted subjects were several important companies in the telecommunications and gas industries, and governmental entities.

Moreover, we connect the dots between the latest campaign and three previously published reports: Kaspersky’s Microcin against Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government and Checkpoint’s Vicious Panda against the Mongolian public sector. Also, we discuss other malware that was typically a part of the attacker’s toolset together with the RAT. We chose the name Mikroceen to cover all instances of the RAT, in acknowledgement of Kaspersky’s initial report on the family. The misspelling is intentional, in order to avoid the established microbiological notion, but also to have at least phonemic agreement.
ObservedSectors: Defense, Government, Oil and gas, Telecommunications.
Countries: Belarus, Mongolia, Russia and Central Asia.
Tools usedGh0st RAT, logon.dll, logsupport.dll, Microcin, Mimikatz, pcaudit.bat, sqllauncher.dll.
Information<https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/>
<https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/>
<https://securelist.com/microcin-is-here/97353/>

Last change to this card: 22 June 2020

Download this actor card in PDF or JSON format

Previous: Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten
Next: Moafee

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key